Build Safety-Critical Designs with UML-based Fault Tree Analysis - The basics

Bruce Powel Douglass, IBM/Rational

April 27, 2009

Bruce Powel Douglass, IBM/RationalApril 27, 2009

The Unified Modeling Language (UML) has been successfully been used in many real-time and embedded domains, including aerospace, military, and medical markets. Many of these systems within these markets are used within safety critical contexts.

So far, disparate tools and environments have been used for capturing requirements, creating designs, and analyzing system safety. However, UML is an extremely powerful, extensible language. To this end, I have created a UML profile that support capturing requirements, creating designs, and analyzing system safety all within the same UML tool environment.

This series of three articles will discuss the use of Fault Tree Analysis (FTA) for safety analysis in embedded systems design and use of the UML profiling mechanism to create a safety analysis profile, including the definition of its normative metamode.

This profile enables developers and analysts to capture safety-related requirements, perform FTA and other safety analyses, create designs that meet those safety concerns, and provide reports showing the relations between the safety analysis, requirements, and design model elements.

What is Safety?
The paucity of material on safety critical systems has lead to widespread misunderstanding of the various terms used to discuss safety. The most basic term is safety. Safety is defined to be freedom from accidents or losses. An accident is an event in time in which an undesirable consequence occurs, such as death, injury, equipment damage, or financial loss.

A safety-critical system in a system, which may contain electronic, mechanical, and software aspects, that presents an opportunity for accidents to occur. For many people, safety-critical systems are only those that present the opportunity for injury or loss of life, but this omits from consideration other systems which might benefit from the techniques and approaches common in safety analysis. Therefore, I prefer to designate a safety critical system to be any system in which the cost of use of a system due to an accident is potentially high.

A hazard is system state that when combined with other environmental conditions inevitably leads to an accident [1]. Hazards are normally classified as to severity. For example, there is a hazard of being shocked when jumping the 12-volt battery in your car, but this is a less severe risk than slamming into a mountainside at 600 knots while riding in a commercial aircraft. Different standards use different categories for hazard severity.

For example, the FDA[2] uses major (irreversible injury or death), moderate (injury), and minor (no injury) levels of concern for device safety. The German standard DIN 19250 identifies 8 categories, along with required safety measures for each category while the more recent IEC 61508 [3] identifies 4 safety integrity levels (SILs): catastrophic, critical, marginal, and negligible, although the text notes that the severity of system-presented hazards is actually a continuum.

The risk of a hazard is defined to be the product of the probability of the occurrence of the hazard and its severity:

Riskhazard = probabilityhazard x severityhazard

Being shocked by your car battery is relatively high but when combined with the low severity, the overall risk is low. Similarly, while the consequences of an abrupt release of the kinetic energy of a commercial aircraft are quite severe, its probability is low " again resulting in a low risk. The various standards also identify different risk levels based on both the severity of the hazard and its likelihood of occurrence.

In the process of system design, hazards must be identified and safety measures must be put in place to reduce the risk.

< Previous
Page 1 of 4
Next >

Loading comments...